CORS Misconfig that ended in 120$ bounty
Hi ppl, This is Aravind (aravind0x7) here with another awesome write-up about a CORS bug that ended up in getting a 120$ bounty. I took a break from bug hunting for the past two months and so I was not able to share any write-ups and blogs. Fine ! Let’s start. Hope this blog will help you guys in learning something about the Cross Origin Resource Sharing vulnerability.
Back Story
I got this private program from one of my friend and started to test on that. As usual, I stared to enumerate the domain and fuzz the urls. After some time I started to test the main domain for basic bugs like, XSS, HTML Injection and other low hanging fruits. But I ended up in a down time as there were nothing found. A recent blog that I read from medium helped me in searching for CORS related bugs. For that I used the the URL fetching tools, GAU & Wayback Urls and then greped all the api end-points. On taking a look at those, this endpoint, ‘https://target.com/api/v5/user/sync/’. And the story begins here…
Exploiting CORS
Before getting into this, if you have no idea about CORS, kindly refer this article as I don't want to copy paste the same content. You can verify a site is vulnerable to CORS by giving the request and seeking for a response like this, Origin: https://attacker_site.com , Access-Control-Allow-Credentials: true respectively. So after verifying this, I started to attack the specific end point with some payloads, and for the exact exploit scenario I request you to go through the below two hackerone reports and I just reproduced the same steps from the reports. Get the reports here, Report 1 & Report 2.
On a successful exploitation, you will get a alert box as like XSS, refer the below image.
A perfect impact: You can create a fake HTML page as shown in the hackerone report that holds the exploit commands and if the victim is logged in, the sensitive data stored in the browser can be stolen by the attacker with this vulnerability. On further exploitations attackers may be able to bypass any IP-based access controls by proxying through users’ browsers.
So that's all about a short write-up on the CORS, hope you guys enjoyed it and thanks for reading. I was awarded with 120$ as this is a medium severity bug. If possible you can increase the severity by increasing the impact. Finally never loose hope in your hunting process…
Ok lets, get connected !
Portfolio: www.aravind0x7.in
Instagram: aravind_0x7
Twitter: gnana_aravind07
